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Abstract 

Safety assessment of new air traffic management systems is a main issue for civil 
aviation authorities. Standard techniques such as testing and simulation have serious 
limitations in new systems that are significantly more autonomous than the older ones. 

In this paper, we present an innovative approach, based on formal verification, for 
establishing the correctness of conflict detection systems. Fundamental to our approach 
is the concept of trajectory , which is a continuous path in the x-y plane constrained 
by physical laws and operational requirements. From the model of trajectories, we 
extract, and formally prove, high level properties that can serve as a framework to 
analyze conflict scenarios. We use the AILS alerting algorithm as a case study of our 
approach. 
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1 Introduction 


In the current aerospace system, commercial flights are controlled by Air Traffic Control 
(ATC) from gate-to-gate. Before a flight can take place, the complete route plan must be sent 
to the ATC authorities in charge of the geographical sectors crossed by the aircraft. During 
the flight, even minor changes to the plan require a clearance from ATC before they can be 
performed. New distributed air-ground traffic management concepts [1] are being developed 
to address the inefficiencies of the current system. For example, the free- flight concept allows 
direct flight routes without ATC intervention [16], and the Airborne Information for Lateral 
Spacing (AILS) concept allows simultaneous and independent landing on closely spaced 
runways [17]. 

A key aspect of these new concepts is that they shift responsibility for aircraft separation 
from air traffic controllers to pilots and automation. This change is theoretically possible 
because recent technology such as D-GPS (Differential Global Position System) and ADS-B 
(Automatic Dependent Surveillance Broadcast) can provide very accurate data-flight infor- 
mation to pilots and on board computers. Computer systems can warn pilots when other 
aircraft are dangerously intruding into their own airspace. Despite the technology advances, 
a major concern of civil aviation authorities is that this approach may compromise the overall 
system safety. 

In this paper, we address the issue of safety assessment for conflict detection systems. 
In the a\ ionics community, testing and simulations are the standard methods for certifying 
safety of digital systems. The AILS project, for instance, has conducted extensive simu- 
lation and testing of the alerting algorithm. So far, no major flaws in its logic have been 
detected. However, neither testing nor simulation can give a definitive answer to questions 
such as: “ What is the lookahead time for an alarm prior to a conflict ?” or “Does there exist 
a trajectory leading to an undetected conflict?” These questions can only be solved by using 
mathematical analysis. Given the nature of the problem 1 , we also believe that such anal- 
ysis should be mechanically checked via a theorem proving system, such as PVS, or other 
automated proving techniques, e.g., model-checking. 

In general, avionics systems, such as AILS, are hybrid systems. That, is, they consist 
of simultaneous discrete and continuous behavior. The continuous behavior arises from the 
kinematics of the aircraft. The discrete behavior is an inherent aspect of any embedded 
digital system. Several approaches have been used in the literature to model hybrid systems 
(see [18]). Most of these approaches use extensions of finite state automata theory to handle 
state variables ranging over real numbers. Properties are then formalized as a reachabil- 
ity problem and proven by using model-checking and theorem proving techniques. These 
techniques have been shown to be effective for handling systems where control logic modes 

As the appendix reveals, the analysis required to establish the safety properties involves a complex mix- 
ture of long dedu< tions. algebraic manipulations, calculations of formulas with specific* values, and inequality 
reasoning. Performing this analysis by hand is tedious and error prone. For example, some of the proofs 
required case splits that on the surface looked symmetrical, but were later found to be slightly different 
during mechanical checking. 
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trigger continuous and dynamic changes of the state. For instance, the TCAS alerting sys- 
tem for preventing midair collision was modeled using a hybrid automata approach [14]. In 
other collision alerting systems, such as AILS, the discrete aspects do not arise from control 
variables but from the discretization of temporal and spatial domains. For instance, the 
AILS algorithm checks every half a second whether future aircraft locations (calculated by 
projection of the current locations) violates a distance threshold in a given lookahead time. 

In our approach, instead of relying on state automata models, we construct a continuous 
model of aircraft trajectories, where we can prove properties using standard calculus and 
mathematics. Then, we verify the correctness of the algorithm with respect to this continuous 
model. In this paper, and for readability, we have used standard mathematics and traditional 
logic reasoning. Nevertheless, our development has been formally checked in the general 
verification system PVS [15]. All the theories and proofs are available through the URL 
http : //shemesh . larc . nasa . gov/ fm/ ftp/ ails/. 

The remainder of this paper is organized as follows. In Section 2, w r e develop a mathe- 
matical framework for the analysis of conflict scenarios. This framework is formalized and 
verified in Section 3. In Section 4, we use our mathematical model to study the correctness of 
the AILS alerting algorithm. The last section summarizes our work and contains concluding 
remarks. As an appendices, we include the technical lemmas referenced in the paper, a table 
of translations for the conventions used in the paper into the equivalent PVS language, and 
the AILS alerting algorithm in PVS. 

2 Conflict Avoidance Framework 

Conflict detection algorithms are designed to predict conflict situations between the own 
aircraft and another aircraft within some lookahead time T in the future, i.e., T > 0. In 
our framework, two aircraft have a (potential) conflict at time T, if there exists a trajectory 
leading to a distance between the aircraft less than a given value Conf lictRange at time T . 
The value of Conf lictRange largely depends on the concept that is being implemented. For 
a landing concept such as AILS, the Conf lictRange is in the order of feet, but for a general 
mid-air conflict detection algorithm it could be in the order of nautical miles. 

Predictions of aircraft trajectories are made to determine if a conflict exists in a given 
lookahead time. Two types of information can be used for prediction: (1) intent information 
for medium to long lookahead times; and (2) state information for short to medium lookahead 
times. Intent information refers to information in flight plans, destination, in route way 
points, etc. State information uses the airplane heading, speed and location to predict 
future aircraft states. In this paper, we are only concerned with trajectory prediction based 
on state information. 

Assuming that aircraft have reliable access to accurate data flight information, two key 
properties that must be established for a conflict detection algorithm are (1) any predicted 
conflict within time T issues an alarm at time 0, and (2) an alarm at time 0 reflects a 
potential conflict at time T. The first property is called correctness and the latter one is 
certainty. Notice that certainty means that the alerting system does not issue false alarms. 
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Since possible conflict that are not alerted may lead to future collisions, correctness is a much 
more critical feature, from a safety point of view, than certainty. However, false alarms will 
have a negative effect in the overall performance of the airspace system [12], 

Given the hybrid nature of the conflict detection systems, formal verification of correct- 
ness and certainty is a complex task, highly dependent on the particular subtleties of each 
algorithm. In this section, we develop a general framework to study that kind of systems. 
It consists of (1) a nominal model of trajectories, (2) intruder and evader aircraft trajectory 
assumptions, (3) convergence and divergence trajectory criteria, and (4) a set of general con- 
ditions for conflict avoidance. This framework, which is formalized and verified in Section 3, 
is used in Section 4 for studying the correctness and certainty properties of the AILS alerting 
algorithm. 

2.1 Aircraft Trajectories 

At the basis of our verification approach is the concept of aircraft trajectory. In [13], Kuchar 
and \ang present a survey on conflict detection and resolution modeling methods. In that 
suivey, three kinds of trajectory models are characterized: nominal , worst-case, and prob- 
abilistic. In the nominal approach, the future aircraft state, i.e., position, speed, heading, 
hank angle, is projected from the current state according to physics laws. In the worst-case 
approach, the future state is projected by following a policy of extreme values for specific 
state variables. In a probabilistic model, uncertainties such as weather conditions or extrap- 
olation errors are taken into account to calculate the most probable aircraft trajectories. For 
the case of parallel landing, an algorithm based on a probabilistic model was proposed in [6]. 

In general, nominal models are more conservative than probabilistic and worst-case ones. 
However, they also generate a greater number of false alarms. In contrast, probabilistic 
models produce a lower number of false alarms [11, 6], but they may disregard some rare 
conflicting situations. To formally answer a question such as “Does there exist a conflict 
without an alarm being issued we need a model that includes the set of all possible tra- 
jectories from given aircraft initial states. This is precisely the information provided by our 
nominal model. 

In our model, a trajectory is defined to be a continuous path in the x-y plane subject 
t° constraints imposed bv the aircraft dynamics. 2 Formally, the kinematics of an aircraft 
moving at constant ground speed v in a two-dimensional plane is given by the equations 


x'(t) 

= vcos(9(t)) 

(1) 

y'(t ) 

= esin (9(f)) 

(2) 

m 

= (. 9 A’)tan( 0 (t)) 

(3) 


where ./•. y, 0, <j> are differentiable functions mapping time to location coordinates, heading, 
and bank angle, respectively. Equations 1 and 2 state that the derivative of the position 
functions gives the velocity vector of the aircraft. Equation 3 relates the bank angle with 

The vertical separation is typically handled separately. This will be studied in future work. 
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the heading of the aircraft. That equation states that the rate of direction change of an 
aircraft is proportional to the tangent of the bank angle by a factor of g/v, where g is the 
gravitational force. We assume a minimal ground speed of 210 feet per second. 

In addition to the above physical constraints, we impose a maximum bank angle opera- 
tional constraint for commercial aircraft to be 35°, i.e., 

\<p(t)\ < 35tt/180. (4) 

Henceforth, we use the constant MaxBank = 357T / 1 80. 

From the equations defining the motion of the aircraft, we can deduce minimum and 
maximum distances traveled by an aircraft in a given time. In particular, vt is the farthest 
distance, i.e., via straight line, that can be reached by an aircraft moving at constant speed 
v in 1 seconds. That property is called YCNGFTYS, which stands for You Cannot Go Faster 
Than Your Speed , and can be stated as follows 

Theorem 1 (YCNGFTYS). 

0 < t D \J (x{t) - x(0)) 2 + (y(t) - y(0)) 2 < vt. 

The above theorem has been formally proven in PVS. The proof, however, is much more 
complex than the intuition behind it, which is illustrated in Figure 1. 



Figure 1: You Cannot Go Faster Than Your Speed 

According to Figure 2, for an aircraft moving at constant speed v and with a constant 
bank angle (f>, the distance from the position at time 0 to the position at time t is given by 
the formula 


m(v,(j>,t) = 2r(c, 4>) sm(vt/2r(v, <p)) (5) 

where r(v, <f>) is the turn radius of the aircraft. 


o 




Figure 2: Distance Traveled in Curved Trajectory 

The turn radius r(v, (j>) can be calculated as follows. 

vt/r(<t>,v) = (g / v) tan(<p)t (From Equation 3) 
u/r(v, <p) = (g/v) t.an(<^) (Simplifying/). 

Thus, 

r(v,(j)) = v 2 /{gUui{(p)). (6) 

According to Formula 4, the maximum change of heading per second of an aircraft moving 
at constant speed v is given by 

p(v) = (g/v) tan(MaxBank). (7) 

From Equation 6 and Equation 7: 

r(v, MaixBaiik) = v/p(v) (8) 

and from Equation 5 and Equation 8: 

7Ti(v, MaxBank, /) = 2r(v, MaxBank) sin(p(c)//2). (9) 

When 0 < p(v)t < 2, we have formally proven in PVS that m(v, MaxBank, t) is the minimum 
distance traveled by an aircraft moving at constant speed v in / seconds 3 . The property is 
called YCNGSTYS, which stands for You Cannot Go Slower Than Your Speed 

3 We conjecture that the property still holds for 0 < p(v)t < 2~: but, we could not find a formal proof of 
this proposition. 
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Theorem 2 (YCNGSTYS). 

0 < p(v)t <2 D m(v. MaxBank, t) < y/(x(t) — J-(0)) 2 + (y(t) — y( 0)) 2 . 

According to theorems YCNGFTYS (Theorem 1) and YCNGSTYS (Theorem 2), for an aircraft 
moving at constant ground speed v, the inner circle of radius m(v, MaxBank, t) and the outer 
circle of radius vt, both centered at the current position of the aircraft, delimit the area that 
could be reached bv the aircraft at time t. See Figure 3. 



Figure 3: Reachable Area of an Aircraft at Time t 


2.2 Intruder and Evader Aircraft 

We consider an airspace sector with only two aircraft. We also assume that one of the 
aircraft, called evader , follows an straight path at its current heading, i.e., the bank angle 
of the evader is considered to be always 0. The other aircraft is called intruder and no 
particular assumptions are made for its trajectory. Without lost of generality, we take a 
coordinate system where the x-axis coincides with the evader trajectory. In that case, the 
heading angle of the evader aircraft is always 0. 

Multiple-aircraft scenarios can be modeled as sequential composition of pair-wised aircraft 
conflict detection algorithms. Notice however, that when solving conflicts in a multiple- 
aircraft system, solutions to a pair of aircraft could create new conflicts in previously solved 
aircraft. Although, conflict resolution algorithms are out of the scope of this report, we would 
like to mention at least three kinds of techniques lor conflict resolution that are relevant to 



our model of trajectories (see for example, [2, 4, 5, 10]): geometric optimization , modified 
potential-field , and predefined escape maneuver. The first one tries to minimize the velocity 
vector change required for each conflict for solving the conflict. The modified potential-field 
approach exploits an analogy between air traffic and repulsion-attraction features of charged 
particles in a potential field. Predefined escape maneuvers are used in specific flight situations 
where stronger assumptions on aircraft trajectories can be made. Landing is one of these 
situations. Indeed, the AILS concept uses a predefined escape maneuver which instructs the 
pilot of the evader aircraft to climb and turn away 45" from the intruder aircraft when a 
traffic warning alarm issued. 

Henceforth, state functions representing the state of the evader aircraft are subscripted 
with a lowercase e; similarly, intruder state functions are subscripted with a lowercase i. We 
use Of as an abbreviation for 0fit.fi Applying the above restrictions on the evader trajectory 
to equations 1, 2. and 3, we get 


xfitfi — A + v e t (10) 

Ve(t) = Ye (11) 

Ofit) = 0 (12) 

Mt) = 0 (13) 


where A,, and } e are the coordinates of the initial evader position. 

The evader represents an aircraft flying on normal conditions while the intruder represents 
a blundering aircraft. Constraints on the evader trajectory are justifiable since even under 
free-flight rules, aircraft normally fly on straight lines. In the particular case of the AILS 
concept , and for safety reasons, the alerting algorithm runs twice on each airplane. In the first 
execution, the algorithm treats the local aircraft as the evader an the foreign aircraft as the 
intruder. In the second execution, the roles of intruder and evader aircraft are interchanged. 

2.3 Convergence and Divergence of Trajectories 

Fundamental to a conflict detection algorithm is the ability to determine whether the trajec- 
tories of two aircraft are diverging or converging and to find the point of closest separation 
of the projected trajectories. This amounts to finding the minimum of the distance between 
two straight lines. If the evader aircraft is assumed to have heading 0 and the intruder 
aircraft has heading 0, then the equations defining the projected trajectories are 

x e {t) - x e (0) + v e t 

y*e(t) = y e ( 0) 
x*(t) = Zj(0) + Vit.cos(6) 
y *(t) = yfio) + i>jfsin(0) 
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and the distance between the projected trajectories at time /. Hit), can be computed as 
follows: 


a At) = 

A,(t) = y;(t)-y‘At) 


R(t) = y/ & x (t) 2 + Ay(t) 2 


To find the minimum of R{t), first the derivative of R{t) is computed: 


R'(t) 


xu)X + a ?/ (/)a; ; 

R(t) 


(14) 


where 


A' x = v, cos (6*) - v,. 

Ay = Vi sin (0) 

When R'(t + t) = 0, we get the time r, relative to t, of the point of closest separation 
between the aircraft. The solution to this equation is: 

, lX a j .(/)a; + a v (/)a; / 
r (0 = V 2 ~ \ / 2 

These equations were formally derived using the computer algebra tool MuPAD [9]. ft is 
important to note that r is undefined, i.e., denominator is zero, when the aircraft are parallel 
and the ground speeds are equal. 

For any time t, if r(t) is negative or zero, the tracks are diverging or parallel, respectively. 
If r(t) is greater than zero, the tracks are converging and r(f) is the time of closest separation 
relative to t. See Figure 4. 


• • • 


« 





Closest separation 


D 
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tau 


Time 


Figure 4: Converging tracks 


We have formally proven that r satisfies the following properties. 
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Lemma 1 (derivative_eq_zero_min). 

R(t[ + r(ti )) < + t 2 ). 

Lemma 2 (asymptotic_decrease_tau). 

ti F t'2 ^ 7"(f) Z) i?(f + ti) > /?(t + t-z)- 

Lemma 3 (asymptotic_increase_tau). 

r(t)<t i<t 2 D fl(i + *!) < R(t + t 2 ). 

2.4 General Conditions for Conflict Avoidance 

In this section, we present a set of sufficient conditions for conflict avoidance between intruder 
and evader aircraft. The basic geometry of our approach is illustrated in Figure 5. The 
initial position of the intruder is (.^(0), y 2 (0)) and the position of the evader at time T is 
(x e {T),y e (T)). We name the angle between the path of the evader and the line passing by 
these two points as 3. The distance from (*»( 0),y t (0)) to (x e (T),y e (T)) is named /. Label 
d denotes the distance between the initial evader position and the initial intruder position. 
Given a time t, 0 < t < T , the expressions e(t) and i(t) denote the distance between the 
intruder at time t and the evader at time T, and the distance between the intruder at time 
0 and the intruder at time t,, respectively. We also use r,p, and m(t) as abbreviations for 
/'(/’*. MaxBank), p( ) . and ui(v t , MaxBank, t). respectively. 

Formally, the distance from the position of the intruder aircraft at time f, to the position 
of evader aircraft at time denoted D ie {ti,t v ), is defined as follows 

DiAU.te) = y/MU) - x e {t e )Y + (y^U) - y e (t e )) 2 . 

Therefore, 

I = Ae(0,T) 

d = Ae(0,0) 

c(f) = D ie (t,T ) 

m = VMQ) - Xi(t )) 2 + (vM - yi(t)Y 2 
Vo = 0i( o) 

and 3 is an angle such that 

x e {T) = l cos{3) + xflO) (16) 

Ve(T) = y,(0) — l sin(/?) (17) 

Formally, we say that two aircraft are in a conflict at time /. when the following predicate 
holds 


conflictj e (f) = D ie {t,t) < Conf lictRange. 


( 18 ) 
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evader path 



Figure 5: Basic Geometry 

Note that -iconf lict t >(T) is equivalent to e(T) > Conf lictRange. Furthermore, 
conf licti e (T) does not include conflicts at time less than T. However, since we assume a 
continuous time, a conflict at time t < T can be analyzed by taken a new reference time 
system, where time 0 is t — T. In the new time of reference, the conflict happens at time T. 

We now state a set of sufficient conditions to avoid conflict scenarios between intruder 
and evader aircraft. All these conditions are suggested by the geometry of the problem. Con- 
ditions (1) and (2) are consequences of the reachable area of an aircraft explained on Section 
2.1. Condition (3) states that given some initial conditions, if intruder and evader aircraft 
are heading to opposite directions, then a conflict scenario is impossible. Last condition, 
characterizes non conflict scenarios when both aircraft are heading to the same direction. 

Given T > 0, VLe. -iconf lictq e (T), when 

1. no_conflict_gt_max: 

l > MaxDistance, 

where MaxDistance = v{T + Conf lictRange, or 

2. no.conflict Jt_min: 

l < MinDistance A 0 < pT < 2n r, 
where MinDistance = rn{T) - Conf lictRange. or 
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3. no .conflict _Omega: 

/ > Conf lictRange + v, A pT < n - p A 0mega(/4 + 0 0 ), 
where 0mega(<7) = tx/ 2 < a < 37t/2. 

If V{ = v e = 250 feet/s, and AlertRange= 1400 feet, as it is in the AILS concept, we also 
have -iconf lictj r (7') when 

4. ails _no -conflict _tau_leO: 

MinDistance < l < MaxDistance A 9.5 < T < 10 A 
->0mega(^ + 9 0 ) A d > AlertRange A r(0) < 0. 


Next section is devoted to tin 1 formal verification of the conflict avoidance properties. 


3 Formal Verification of the Conflict Avoidance Frame- 
work 

The specification language of the PVS system is based on a higher-order logic extended 
with a very rich type theory. This language gives us all the necessary power to express our 
model of nominal trajectories in a simple way. For instance, trajectories are defined via the 
PVS sub- typing mechanism in such a manner that the equations characterizing the motion 
of an aircraft are just type-correctness conditions. Most of these conditions are discharged 
automatically by the PVS type checker. 

PVS includes several decision procedures to cope with well-known decidable theories. 
However, like most theorem provers. it has little automated support for non-linear arithmetic 
and real analysis. We have extended the pre-defined theory of real numbers and the theory 
of differential functions developed in [3] with theories dealing with trigonometric and other 
transcendental functions. 

Non effective real functions are declared in PVS as uninterpreted constants of a given type. 
Their behavior is then constrained via axioms. For example, cos and sin are functions from 
reals to the real interval [—1 . . . lj satisfying, among other properties, sin(a) 2 + cos(6) 2 = 1. 
In a similar way, is a function from non negative reals to non negative reals such that 
\J7i~ — a for a > 0. From this axiom, we can prove, for instance, that y/a? = a for a > 0. 

The remainder of this section is devoted to the proof of the General Conditions for 
Conflict Avoidance presented in Section 2. First, we discuss some technical details on the 
formal proofs of inequalities and on integrating geometrical reasoning in a theorem prover 
such as PVS. Then, we introduce a new system of coordinates. Finally, we detail the proofs 
of the conditions in Section 2.4. 
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3.1 Dealing With Inequalities 

Most of the properties that must be proven involve inequalities. First notice that as a 
consequence of the axiomatic definition of yr, a property like 0 < a < y/b, must be proven 
by first establishing a 2 < b and then using a property of monotony over the squared function. 
To deal with general inequalities, we assume the following calculus theorem 

Theorem 3 (monotonic_anti_deriv). 

V/, g : R — » R. Va, b : R. a < b D 
' (Vr : R a < c <b D /'(c) < (/(c)) 

D 

f(b)-f(a)<g(b)-g(a). 

In the verification process is sometimes inevitable to perform calculations on expressions 
containing non effective functions such as the trigonometric functions. It is tempting to use 
approximation series to define, for instance, sin and cos. However, mixing approximation 
series and axiomatic definitions of trigonometric functions may be source of paradoxes. Say 
for example that sin and cos compute approximate values of the real ones. It will be very 
unlike that sin (a) 2 + cos(a) 2 evaluates to 1 for any value of a. In order to avoid that kind of 
inconsistencies, we mix approximations and uninterpreted functions in a very rigorous way. 
Assume we want to prove that ei[sin(n)] + < e 2 [cos(ft)] + , i.e., c\ contains a distinguished 
positive occurrence of sin(a) and e 2 contains a distinguished positive occurrence of cos (b). 
Then, we find a computable upper bound of sin(a), say sin u ft(a), and a computable lower 
bound of cos (b), say cos «,(&). Finally, we prove ei[sin(a)] + < e 2 [cos(6)] + as follows 

e l [sin(a)] + < e 1 [sin ufr (a)] + (19) 

ei[sin„ 6 (a)] + < e 2 [cosi 6 (&)] + (20) 

e 2 [coSi fc (6)] + < e 2 [cos(6)] + (21) 

Most of the times, Formulas 19 and 21 are simple to discharge. If eq [sin(a) u6 ] + and c 2 [cos(f>) (fe ] + 
are computable then we prove Formula 20 by evaluating the expressions. Otherwise, we use 
the same technique to remove other non computable values. Eventually, we will get two ex- 
pressions that we can evaluate. This technique is so used and simple that we have developed 
PVS strategies to automate the work. 

In particular, we use the following definitions 

sin 16 (o) = ELi(-l) ,_1 (fSr sin„6(«) = Ei=i(-ir'(fST! 

cos if, (a) = 1 + Ei=i ( — I)* ( 27 j! cos u (,(a) = 1 + Ez=i ( — ( 2 iji 

and the axioms 4 

4 In PVS, real numbers are written as rational numbers. 
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Axiom 1 (PI). 


Axiom 2 (SIN). 


314/100 < 7r < 315/100. 


Axiom 3 (COS). 


0 < a < 7r D sin lb (a) < sin(a) < sin u6 (a). 


7r/2 < a < 7r/2 D cos [b (a) < cos (a) < cos ub {a). 


3.2 New System of Coordinates 

The first major step in our formal development is to take as reference a new system of coor- 
dinates where the origin is the position of the evader aircraft at time T, i.e., (x e (T),y e (T)), 
and the x-y plane has been rotate by Qq degrees. The new x-y plane, which is illustrated in 
Figure 6, is defined as follows 

x(t) = cos(0 o )[x(t) - xv(T)] + sin(/? 0 )[y(t) - y e (T)] (22) 

y(t) = cos(6»o )[y(<) - y e {T)\ - sin(6» 0 )[a:(t) - x e (T)} (23) 



Figure 6: New Coordinate System 

We have formally proven that distances are invariant under rotation and translation of 
the coordinate system. In particular, we have proven 
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Lemma 4 (isometric). 

(x\(t) - x 2 {t))‘ 2 + {y\(t) - V 2 (t)) 2 = - x- 2 {t)) 2 + (y'i (0 - lh(t)) 2 - 

From lemma isometric, we can easily derive 
Lemma 5 (isometric-evader). 

e (t ) 2 - Xi{t) 2 + y»(0 2 - 
Lemma 6 (isometric-intruder). 

i{t . ) 2 = (i,-(<) - Xi{ 0)) 2 + (y,U) - y*(0)) 2 - 

As a corollary of lemma isometric_evader, we have 
Lemma 7 (maj oration). 

e(t) 2 > Mtf A e(t) 2 > ySf- 

3.3 Geometric Reasoning 

Since conflict detection systems solve a physical problem, visualization plays an important 
role in the verification process. We have extensively used tools such as MuPAD [9] and GNL - 
PLOT [19] to find geometrical relations between different components of the mathematical 
framework before attempting a direct proof in the theorem prover. 

In this section, we show proofs of two geometrical properties: Alpha_d_AlertRange and 
r_T. Lemma Alpha_d_AlertRange exploits the Law of Cosines to bound the angle j3 and R.T 
provides a formula for computing R{T) from l and the angles 3 and 9. We recall that R(T) 
is the projected distance between the evader and the intruder assuming that the intruder 
continues in a straight line on his present course. Since geometrical reasoning is usually 
easier to illustrate than to formalize, we base our reasoning on Figure 7. However, the PVS 
proofs are filled with details concerning the coordinate geometry version of the diagram. 

Lemma 8 (Alpha_d_AlertRange). 

Alpha(/3) d < AlertRange, 

where Alpha(cr) = cos(/l) > ((vT) 2 + l 2 — AlertRange 2 )/2e77. 

Proof. From the Law of Cosines. 

cos(^) = (( vT ) 2 + l 2 - d 2 ) / 2vT l . 

Therefore, 

cos {3) > (( vT ) 2 + / 2 - AlertRange 2 )/2cT/ 

{(vT) 2 + l 2 — d?)/2vTl > ((vT) 2 + l 2 — AlertRange 2 ) /2cT7 
— d 2 > —AlertRange 2 

(f 2 < AlertRange 2 

d < AlertRcinge. 



□ 
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Figure 7: R(T): Projected Distance at Time T 

Lemma 9 (R_T). 

R 2 {T) = (/eos(/? + 0 o ) - {vT)f + (l sin({3 + 0 O )) 2 . 

Proof. At time T the evader will be at e(T) = (x e (T),y e (T)) and the projected location of 
the intruder at time T is t(T) = (xi(T), yi(T)). Dropping a perpendicular line from e{T) to 
the intruder line defines point C. The distance from e(T) to C is /sin(/? + 0 O ). The distance 
from /(O) = (x,-(0), y<(0)) to C is / cos (8 + ^ 0 )- The distance from 7(0) to i(T) is vT since 
the intruder is travelling at a constant rate of v. Thus, the distance from point i(T) to C 
will be / cos (3 + 0 o ) - vT. By the Pythagorean theorem, we have: 

R 2 (T) = (7 cos(d + 0 O ) ~ (vT)) 2 + (l sin(/7 + 0 O )) 2 . 

□ 

Finally, we address the proof of the sufficient conditions presented in Section 2.4. Note 
that some proofs may refer to technical lemmas included in the Appendix A. 
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3.4 Theorem no_conflict_gt_max 

We must establish that the distance between the intruder and the evader at time T is greater 
than Conf lictRange for all possible trajectories of the intruder: 

T > 0 A / > MaxDistance 

D 

-iconf lict ie (T). 

Proof. To establish -iconf licti e (T), it suffices to show e(T) > Conf lictRange. From 
Lemma YCNGFTYS.evader (see Appendix A), and instantiating t with T, we have 

T > 0 A l > v,T D l — v t T < e{T). 

The premise l > t’j is discharged from hypothesis l > MaxDistance and definition of 
MaxDistance. To conclude the proof, we show that l — v{P > Conf lictRange as follows 

/ — VjT > MaxDistance — v{T By hypothesis / > MaxDistance 

> Conf lictRange + v{T — v t T By definition of MaxDistance 

> Conf lictRange Simplifying. 

□ 


3.5 Theorem no .conflict _le_min 

This theorem states that all possible trajectories of the intruder stay outside of the conflict 
region, if the initial distance from the evader, /, is less than MinDistance: 

T > 0 A I < MinDistance A 0 < pT < 2 

D 

-■conf licti(.(T). 

Proof. To establish -iconflict^T), we show that Conf lictRange < v(T) . From definition 
of MinDistance and Equation 9, 

Conf lictRange = 2rsin(pT/2) — MinDistance. (24) 

Since / < MinDistance, we have 

Conf lictRange < 2rsin(pT/2) — l. 

From the YCNGSTYS.evader lemma (see Appendix A), we have 

l < 2r sm(pT /2) A 0 < pT < 2 D 2rsin(pT/2) — l < e(T) 

from which the desired result follows by transitivity. The premise of lemma YCNGSTYS.evader 
is discharged by establishing 

MinDistance < 2rsin(pT/2) 

via Equation 24, and applying the assumption that / < MinDistance. □ 
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3.6 Theorem no_conflict_Omega 


T > 0 A I > Conf lictRange + v, A pT < n — p A Omega(d + 6q) 

D 

-■conflict, e {T). 

Proof. To establish -iconf lict (f (T), we show e(T) > Conf lictRange. We split into two 
cases: 0 < T < 1 and 1 < T. 

1. Case 0 < T <1. From lemma YCNGFTYS .evader, instantiating t with T, we have 

/ > t’jT D l — V(T < e(t) (25) 

Since 1 > T, / — v{T > / — . But / - v t > ConflictRange > 0, then the premise 

/ > u,T of Formula 25 holds. Hence, e(t) > l — v,T > l — v. t > ConflictRange. 

2. Case 1 < T. By the majorat ion lemma (Lemma 7)): 

e(T ) 2 > Xi(T) 2 . 

Appliying squared root to both sides results in 

e(T) > x t (T). 

By the no.conf lict-xp_l_0mega lemma (see Appendix): 

1 < T A pT < 7 x — p A 0mega(/? + 0 O ) •'C(T) > ConflictRange. 

Transitivity yields the desired result. 

□ 


3.7 Theorem ails_no_conflict_tau_leO 

v = Vi = v e = 250 A AlertRange = 1400 A 9.5 < T < 10 A 
MinDistance < l < MaxDistance A -i0mega(/9 + #o) A 
d > AlertRange A r(0) < 0 

D 

-■conf lict,>. 


Proof. This theorem follows immediately from Lemma Alpha_d_AlertRange (Lemma 8) and 
the following three lemmas: 
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• Lemma cos_no_conf lict: 


v = Vi = v e = 250 A AlertRange = 1400 A 9.5 < T < 10 A 
MinDistance < l < MaxDistance A 

-iAlpha(/i) A -i0mega(/? + 0 {) ) A cos(0 Q + /i) < cos (/l) 

D 

-iconf lict,,,(T). 


• Lemma R_T_d_diff : 

/ > 0 D R(T ) > d <!=>■ eos(0 o + /?) < cos(/^). 

• Lemma tau_le_0_diverg: 

r(0) < 0 D R(T) > d. 


a 

Proof of lemma cos_no_conf lict. We establish e(T) 2 > Conf lictRange 2 . From the isometric_evader 
lemma (Lemma 5), substituting T for t, we have: 

e{T) 2 = Xi(T) 2 + yi(T)‘ 2 . 

From lemmas xpt and ypt (see Appendix A), instantiating t with T, we get: 

£i{T) > rsin(pT) — lcos(@ + 9 0 ) 

Vi{T ) > I sin (0 + 6> 0 ) + r(cos(pT) - 1). 

We now split on the two cases that come from the ->0mega premise: 

1. Case 0 < 0 + 0 o < n/2. Lemma Math_prop_no_conf lict_l (see Appendix A): 

v = 250 A 9.5 < T < 10 A 

MinDistance < / < MaxDistcince A 
MinBeta < a < 7t/2 A 

y > /sin(o) + r[cos(/?T) — 1] A x > rsin(pT) — lvos(a) 

D 

x 2 + y 2 > Conf lictRange 2 , 

where MinBeta = 539/1000, gives us the following after substituting 0 O + 0 for a, £i{T) 
for x, and y t (T) for y: 

£i(T ) 2 + iji{T ) 2 > Conf lictRange 2 . 

We discharge the assumption: 


MinBeta < 9 0 + fl 
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by using the premise 


cos(#o + 8) < cos(3) 
and Lemma cos_beta_NOT_Alpha (see Appendix A): 

v = 250 A 9.5 < T < 10 A AlertRange = 1400 A 
MinDistance < / < MaxDistance A -'Alpha(/3) 

D 

(•os (0) < eos(MinBeta). 

Notice that cos is decreasing in the interval [0 . . . 7r]. 

2. This case is symmetric to the previous one. We use Lemma Math_prop.no _conflict_2 
(see Appendix A): 

v = 250 A 9.5 < T < 10 A 
MinDistance < l < MaxDistance A 

3?r/2 < a < 2 tt — MinBeta A 
y > l sin(o) + r(cos(pT) — 1) A x > rsin(pT) — /cos(a) 

D 

a’ 2 + y 2 > Conf lictRange 2 , 

and the fact that cos is increasing in the interval [37 t/2. . . 27t]. 

□ 

Proof of lemma R_T_d_diff . We must establish 

/ > 0 D R(T) > d -<=> cos(#o + 0) < cos(/y). 

From lemma R_T (Lemma 9), we have 

R{Tj 2 = (/ cos(0 + 0 o ) - vT) 2 + (/ sin(d + 0 (] )) 2 . 

Simplifying the right side we have 

R(T) 2 — 1 2 cos (0 + 0q) 2 — 2vTlcos(8 + 0 O ) + ( vT ) 2 + l 2 sin(/? + 0 O ) 2 
= l 2 - 2 vTl cos ( 8 + 0 0 ) + (vT) 2 . 

From Figure 7, we get 

d 2 = {vT) 2 + l 2 — 2 vTl cos(/i). 

Subtracting d 2 from R{T) 2 yields: 

R(T) 2 - d 2 = 2r77(cos(/l) - cos {0 + 0 O )). 

Since 2 vTl > 0, we have 

R(T) 2 — d 2 > 0 <=$■ cos (/l) — cos(0 + ^o) > 0. 

The desired result follows from the fact that R{T) > d <t=t* R(T) 2 — d 2 > 0. 

□ 
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Proof of lemma tau_le_0_diverg. To establish 


r(0) < 0 D R{T) > d, 

we begin with lemma asymptotic -increase _tau (Lemma 3): 

r{t)<U<t, 2 D R(t + h) > Rit + U). 


Substituting T for t 2 and 0 for t and t\, we have: 

R(T) > R( 0). 

But by definition, R( 0) = d. from which the desired result follows trivially. □ 

4 Verification of the AILS Alerting Algorithm 

The AILS alerting algorithm determines when an alarm will be triggered by generating pos- 
sible collision trajectories for the aircraft involved in the parallel landing. 0 Distance and 
times of minimum approaches for the generated trajectories are compared against distance 
and time alert thresholds. Collision trajectories are calculated based on projection of air- 
craft states, which consist of current position, heading, speed, and bank angle. Operational 
requirements for the AILS concept state that both aircraft are in the same horizontal plane 
and that the ground speeds of the aircraft are constant. We choose a conservative value of 
v = 250 feet per second for the aircraft ground speed. 

At the beginning of the algorithm, one aircraft is considered to be the intruder and the 
other is considered to be the evader. The evader aircraft is assumed to fly on a straight 
line following the center line of its runway, which is usually called localizer. The algorithm 
is designed around the idea that the intruder aircraft is flying a circular path, based on a 
constant turn rate, from which it can escape on a straight line following tangential tracks 
separated 1.5 to 3 degrees. For all the possible trajectories, the algorithm computes time 
and distance at the minimum separation. If they fall in time and distance alert thresholds, 
then an alarm is issued. The algorithm runs on time-steps of 0.5 seconds. 

The original AILS algorithm was written in FORTRAN at Langley Research Center. It 
has been revised several times and the latest version, flown in the Boeing 757 experimental 
aircraft, was written by Honeywell. That algorithm provides several levels of alarms ranging 
from advisory cautions to warnings according to the severity of the blundering of the intruder 
aircraft. A traffic warning must be followed by an escape maneuver. For the work presented 
in this paper, we use a higher level abstract model of the alerting algorithm, described in 
[7], where only traffic warning alarms are considered. That model was written in PVS (see 
Appendix C). 

5 In this section, we use indistinctly the words collision and conflict. 
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4.1 Curved Trajectories 

The logic of t he AILS algorithm assumes that the evader aircraft stays on the localizer during 
the final approach. However, the algorithm is designed to issue an alarm for any intruder 
trajectory that threatens the evader aircraft. An original design target for the algorithm was 
that an alarm should be issued at least 19 seconds before the potential collision. For a large 
class of trajectories, which we will call curved , the algorithm can be easily shown to meet 
this goal. A curved trajectory is a trajectory where the aircraft follows a circular path (at 
the current turn radius) until it exits the circle in a straight tangential track. Unfortunately, 
curved trajectories do not provide the worst-case scenario. Indeed, in our more general 
model of trajectories, i.e., paths only constrained by the dynamics of the aircraft, we have 
seen that two aircraft can approach to within 10.5 seconds of a collision without an alarm 
being triggered by the AILS algorithm. That is, for lookahead times of 10.5 seconds or 
greater, there exists trajectories leading to a potential collision for which an alarm wall not 
be issued. Using a simulation tool that we have implemented in Java [7], these trajectories 
were first discovered. Later these trajectories were analyzed in PVS. In these trajectories the 
intruder gradually approaches the evader at the beginning of the final approach, but then 
attacks the evader in a very aggressive maneuver after approaching to within 1400 feet. The 
situation is illustrated in Figure 8. 

In the next section we will see that for lookahead times of 10 seconds or less the AILS 
algorithm is correct i.e., it will issue an alarm for any trajectory for which there is a potential 
collision. 

4.2 Correctness and Certainty 

The AILS algorithm has been used as a case-study for formal safety assessment via the 
framework proposed in Section 2. In particular, in this section, we address the formal 
statement of correctness and certainty properties of the AILS alerting algorithm. 

In PVS, the algorithm is specified by the predicate 

ails_alert(/, e) : State : bool 

that takes the initial states of an intruder aircraft i and an evader aircraft e, and returns 
true or false depending on whether the alarm is issued or not. The two arguments i,e of 
type State contain the state variables that the algorithm operates on. State is defined as 
a record with fields x,y, heading .bank that represent the measured values of an aircraft’s 
position, heading, and bank angle. In this paper, we have assumed that these measurements 
are made without error. The measurement process w'as formalized in PVS using a function 
measure2state. The net result of a measurement without error is that if tr is a trajectory 
consisting of functions r, 9. 6, and the following equalities hold 6 : 

x(measure2state(fr, t)) = x(t) (26) 

6 Access to records is written in PVS as function calls, i.e., if s is a State, x(s) refers to the field x of the 
state s . 
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Figure 8: AILS Worst-case Scenario for T=10.5 seconds 
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y(measure2state(£r, t)) 

= vW 

(27) 

heading(measure2state(ir, t)) 

= m 

(28) 

bank(measure2stat e(tr, t)) 

= m 

(29) 


Although with ADS-B exchange of information the errors can be made very small, it should 
be included. In future work will look at incorporating measurement error into the analysis, 
e.g. 

x(measure2state(fr, t,)) — x(t)+e x 

y(measure2state(£r, t)) = y{t)+e y 

heading(measure2state(tr, t,)) = 6(t) + e 0 

bank(measure2state(fr, t)) = 4>{t) + e<p. 

where the e’s are bounded according to the error inaccuracies of measurement devices. 

The correctness property of the AILS algorithm states that if there exists an intruder tra- 
jectory that brings the two aircraft within CollisionRange of each other, then the algorithm 
will issue an alarm on the evader aircraft T seconds before of that potential collision. Bv 
using the framework developed in Section 2, we have formally proven the ails_correctness 
theorem for 9.5 < T < 10. Therefore, each execution of the algorithm completely covers 
all potential collisions in a lookahead time between 9.5 to 10 seconds. Since the time step 
of the AILS concept, i.e., the time gap between two consecutive executions of the alerting 
algorithm, is 0.5 seconds, potential collisions at time less than 9.5 are covered by earlier ex- 
ecutions of the algorithm. Due to operational constraints, when the AILS system is engaged 
during a final approach, there is a safe window of at least 9.5 seconds when no collision can 
occur. 

In the following, and due to AILS operational requirements, we assume v = v t — v e = 250 
and AlertRange = 1400. We also take Conf lictRange equal to 200 feet, which is roughly 
the wing span of a Boeing 747. 

Theorem 4 (ails-correctness). 

Vi, e. 9.5 < T < 10 A conf lictip(T) 

D 

ails_alert(measure2state(i, 0), measure2state(e, 0)). 

Proof. We split the proof in two cases, depending on whether d < AlertRange or not (d 
is the distance from intruder to evader at time 0). The conclusion follows immediately 
from lemmas ails_alarm_at_alerting_distance and ails_alarm_when_collision, whose 
proofs are detailed in Section 4.3. 

1. ails_alarm_at_alerting_distance: 

d < AlertRange D ails_alert(measure2state(i, 0), measure2state(e, 0)). 
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2. ails_alarm_when_conflict: 


d > AlertRange A 9.5 < T < 10 A conflict ie (T) 

D 

ails_alert(measure2state(*, 0),measure2state(c, 0)). 


□ 

On the other hand, the AILS algorithm is uncertain for T < 10 seconds, i.e., there exist 
scenarios where an alarm is issued but there are no possible collision trajectories within 10 
seconds. In other words, false alarms may be issued. 

Theorem 5 (ails.uncertainty). 

B,sj,,sv : State. Vi, c. s, = measure2state(z, 0) A s e = measure2state(e, 0) A 0 < T < 10 

D 

ails_alert(sj, s,.) A ->conflict ie (T). 

Proof. Take s, and s t the states such that x(.s f .) = 0, y(s e ) = 0, heading(.sy) = 0, bank(s e ) = 
0, x{ia) = 1400, y(.Sj) = 0, heading(sj) = 0, and bank(s-j) = 0. We show: 

1. ails_alert(sj, *•«)• It follows from lemma ails_alarm_at_alerting_distance and 
calculation of d < AlertRange for the values of s, and s e . 

2. -iconf licti e (t). It follows from lemma no_conf lict.gt jmax and calculation of l > 
MaxDistance for the values of .s, and s e . 

□ 


4.3 AILS Verification 

This section is devoted to the formal proofs of lemmas ails_alarm_at_alerting_distance 
and ails_alarm_when_conf lict. The proof of the later lemma extensively uses the condi- 
tions for conflict avoidance of Section 2.4. We refer to Appendix C for the PVS specification 
of the AILS alerting algorithm. 

Lemma 10 (ails_alarm_at_alerting_distance). 

d < AlertRange D ai ls-alert(measure2state(i, 0), measure2state(e, 0)). 

Proof. Expanding the definition of ails_alert (see Appendix C) yields: 

IF p( bank O’) ) = 0 

THEN chktrackO, e, 0) 

ELSE arc_loop( . . . ) 

END IF 

We split into two cases. 
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1. Case p(bank(?) )= 0. In this case, we must prove: 

d < Alert Range D chktrack(z, e. 0). 

But chktrack expands into: 

IF r(i, e, 0) < 0 

THEN chkrange (R(i, e,0), 0) 

ELSIF t(z, c, 0) > AlertTime 

THEN i?(i, e. AlertTime) < AlertRange 
ELSE R(i, c, r(z, e, 0)) < AlertRange 

END IF 

where AlertTime = 19 seconds. We split into two cases. 

(a) Case r(z,e,0) < 0. In this case we must prove: 

d < AlertRange D chkrange (R(i, e, 0), 0). 

Expanding chkrcinge, we have 

d < AlertRange D R{i, e, 0) < AlertRange A 0 < AlertTime. 

But R(i,e, 0) = d by definition so this is clearly true. 

(b) Case r(z, c, 0) > AlertTime. In this case we must prove: 

d < AlertRange D R(i, e, AlertTime) < AlertRsinge. 

Using lemma asymptotic_decrease_tau (lemma 2), we have 

0 < AlertTime < r(0) D R(i, e, 0) > R(i, e, AlertTime). 

Since R(i. <■. 0) = d. we have by transitivity the desired result. 

(c) 0 < t(i, e, 0) < AlertTime. In this case we must prove: 

d < AlertRcinge D i?(r(z,e, 0)) < AlertRemge. 

From lemma derivative_eq_zero_min (lemma 2, this lemma characterizes the 
property of r that R(T(i,e,t)) is a minimum): 

R(t{i,c, 0)) < R(i,r., 0). 

Once again since R(i,e, 0) — d. we reach the needed result. 
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2. Case p(bank(0)^ 0. Expanding ails.alert and arc_loop, and using the fact that 
mod(0, m) = 0, for m/0, we end up with the goal 

d < AlertRange D chktrack(v', e, 0), 

which is identical to the result proved in the previous case. This means that only one 
tangential projection is necessary to issue an alarm. 

□ 

Lemma 11 (alarm_when_conf lict). 

d > AlertRange A 9.5 < T < 10 A conflict i( ,{T) 

D 

ai ls-alert(measure2state(i : 0), measure2state(e, 0)). 

Proof. First, by simple calculations we get 

\0p < 2 

10 p < 7T — () 

Now, we use hypothesis conf lictj e (T), to derive: 

1. I < MaxDistance, from Theorem no_conf lict_gt_max (see Section 3.4), 

2. I > MinDistance, from Theorem no_conflict_lt_min (see Section 3.5) and For- 
mula 30, 

3. ->0mega(/? + 6o), from Theorem no_conf lict_0mega (see Section 3.6), Formula 31, and 
/ > Conf lictRange (since l > MinDistance), and 

4. t( 0) > 0, from Theorem ails_no_conf lict_tau_le0 (see Section 3.7), (1), (2), (3), 
and hypothesis d. > AlertRange. 

Lemma ails_alarm-tau_gt0 (see Appendix C): 

MinDistance < / < MaxDistance A 9.5 < T < 10 A 
-i0mega(/l + 9 0 ) A r(0) > 0 A conf lict te (T) 

D 

ails_alert(measure2state(«, 0), measure2state(e, 0)) 

yields the result. ^ 

The proofs of lemma alarm_at_alerting_distance and and lemma alarm_tau_gt0 only 
use a small part of the potential capability of ails.alert. The chktrack function is called 
recursively within ails_alert when the intruder’s bank angle is not 0. The net effect is 
that chktrack is executed against a sequence of tangents (about 1 to 3 seconds apart) from 


(30) 

(31) 
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the projected curved path of the intruder. Interestingly, the correctness property (i.e., alarm 
property) only depends on the existence of the first chktrack execution. In other words, 
the ails_alert function could he reduced to a single chktrack and the theorem would still 
hold. However, the presence of these other chktrack executions enables the algorithm to 
often issue an alarm earlier than the worst-case time. We have shown that in the worst case, 
even with these extra chktrack executions present, there exists a trajectory where the alarm 
is not issued until 10.5 seconds prior to a potential conflict (Figure 8). Thus, the simplified 
algorithm has exactly the same worst-case performance as ails_alert but may have an 
inferior average performance 7 . However, this is offset by the fact that the simpler algorithm 
is far less susceptible to false alarms. In this context, we say that a false alarm occurs 
when the algorithm issues an alarm and there are no feasible trajectories that carry the 
intruder within the conflict region 8 . We have demonstrated that there an 1 scenarios where 
ails -alert will issue an alarm even though there are no feasible trajectories that lead to a 
conflict. Thus, ails.alert does not satisfy the certainty property. We have not yet explored 
whether the simpler algorithm or a variation of it satisfies the certainty property. 


5 Conclusion 

In this paper, we have presented the foundation for a new approach to verifying the safety 
of conflict detection algorithms that may one day be deployed in the national airspace. Such 
algorithms are an enabling technology for free flight, where pilots are allowed to flv their 
own preferred trajectories. The introduction of these algorithms in a free-flight context 
raises significant safety issues. Historically the trajectories of aircraft have been managed by 
ground controllers through use of aircraft position data obtained from radar. The primary 
responsibility for maintaining aircraft separation has been borne by the air traffic controller. 
But under a free-flight approach, much of the responsibility for maintaining separation will 
be transfered to the pilots and the software which provides them aircraft positions and warn- 
ings of potential conflicts. We believe that current methods for gaining assurance about the 
safety of ground-based decision-aid software are inadequate for many of the software systems 
that will be deployed in the future in support of free flight. The current approach is based 
on human-factors based experimentation using high fidelity simulations. When the respon- 
sibility for safety resides in the human controller, this is clearly an appropriate approach. 
The primary question to be answered is whether the software provides the controllers with 
useful information that aids them in their decision making. But as software takes on more 
and more of the responsibility for generating aircraft trajectories and detecting potential 
conflicts and perhaps even producing (and executing?) the evasive maneuvers, we will need 
additional tools to guarantee safety. It is our view that the correctness of the algorithm 
must be established for all possible situations. Simulation and testing cannot accomplish 

' How one might formally capture the notion of average performance is an interesting question. 

8 No algorithm can issue an alarm only when an actual conflict will occur, since doing so requires an 
accurate prediction of the actual future path of the other aircraft. 
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this. Although simulation and controlled experimentation are clearly necessary, they are 
not sufficient to guarantee safety This can only be done by analytical means, i.e. formal 
methods. We should also note that it will also be necessary to demonstrate that the imple- 
mentation of these algorithms is correct. This refinement verification, in our view, must also 
be accomplished using formal methods. We hope to explore this issue with our colleagues in 
future work. 

The trajectory model used in this paper is the final result after experimenting with 
several other alternatives. Earlier work looked at discrete versions with the expectation that 
this would lead to a more tractable verification task. Unfortunately the discretization of 
the trajectories led to significant (and accumulating) modeling error that led to erroneous 
conclusions. In the end, we settled on modeling trajectories as differentiable functions over 
real numbers. These trajectories are constrained by the dynamics of an aircraft. These 
constraints enable one to establish high-level properties that delineate when a conflict is 
possible. In this paper we have developed a formal theory about trajectories that can serve 
as the basis for the formal analysis of conflict detection and resolution (CD&R) algorithms. 
Several limitations to this formal theory will be addressed in future work: (1) the theory 
only deals with 2 aircraft, (2) the vertical dimension is not modeled, and (3) aircraft data 
measurement errors are not modeled. 

Because the trajectories of the aircraft are modeled by differentiable functions over real 
numbers and the discrete algorithms are periodically executed on a digital computer, the 
problem domain falls into the domain of hybrid models. The hybrid nature of the do- 
main makes the verification problem especially difficult. Automatic methods such as model 
checking cannot directly handle the continuous trajectories, and discretization leads to unac- 
ceptable errors. We are forced to reason about such systems in the context of a fully general 
theorem prover designed to handle a rich logic such as higher-order logic, type theory, or 
ZFC set theory. We have used SRI International’s PVS theorem prover in our work and 
found it to be sufficient to handle the problem but our work was often impeded by PYS’s 
baroque method for dealing with nonlinear arithmetic. Although PVS provides a splendid 
suite of decision procedures that can automate much of the tedium of theorem proving, in 
this arena, they are not adequate. Simple properties of the reals must be manually extracted 
from the PVS prelude, manually instantiated, and directly invoked during the proof. Also it 
is often necessary to perform case splits to get a formula into a form that can be handled by 
the prover. Current work at SRI funded by NASA Langley is seeking to improve the PVS 
capability for reasoning about formulas containing nonlinear arithmetic. 

Future work will concentrate on applying this modeling framework to specific CD&R al- 
gorithms and perhaps to self-spacing and merging algorithms designed to increase capacity 
in the terminal area. We would also like to develop formal methods for analyzing conflict 
resolution schemes and the safety of algorithmically-generated evasive maneuvers [8]. The 
CD&R methods must be generalized to cover sets of aircraft constrained by formally spec- 
ified notions of aircraft density (static or dynamic). Finally, we would like to generalize 
the methods to encompass measurement error and data errors. This is a necessary step to- 
wards developing formal methods useful for the design and implementation phases of realistic 
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avionics. 
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Appendix A: Technical Lemmas 

Lemma 12 (Dxp). 


x'(t) = vcos(0, — d 0 ). 

Proof, Wo begin with the definition of x (the x-coordinate after rotating the axes by d 0 . See 
Formula 22): 

i(t) = cos(d 0 )[*,(*) - x e (T)] + sin((? 0 )[y*(i) - Ve(T)\. 

Differentiating we have: 

x'(t) = cos (d 0 ) Xi{t) + sin (do) yfft). 

From the aircraft dynamics (see formulas 1 and 2) we have .;■,'(/) = vcos(6 t ) and y/(t) = 
??sin(d,) which leads us to: 

x'(t) — cos (do) v cos (0 t ) + sin(d 0 ) u sin(d t ). 

Applying the cosine of the difference of two angles trigonometric identity, we have 

x'{t ) = vcos (6 t — d 0 ). 


Lemma 13 (Dyp). 


□ 


y'(t) = r>sin(d ( - d 0 ). 


Proof. We begin with the definition of y (the y-coordinate after rotating the axes by d 0 . Se«» 
Formula 23): 

y(t) = -sin(do)Mt) - x f .{T)} +cos (6 0 )[yi(t) - y e (T)]. 

Differentiating we have: 

y'(t) = - sin(d 0 ) Xi'{t) + cos(d 0 ) y/(t). 

From the aircraft dynamics (see formulas 1 and 2) we have x t '(t) = vcos(0 f ) and y/(t) = 
rsin(dt) which leads us to: 

y (tj — sin(do) v cos(d t ) -t- cos (do ) v sin ( d/ ) . 

Applying the sine of the difference of two angles trigonometric identity, we have 

f/(t.) = v sin(d, - d 0 ). 


□ 
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Lemma 14 (YCNGFTYS.evader) . 

t > 0 A l > vt D l- vt < e{t). 
Proof. From Figure 5, we see that 


l < e(t) + i(t). 

From Theorem YCNGFTYS(Theorem 1), and definition of i(t ), w r e have 

i(t) < vt. 


Thus, l < e(t) + vt and hence 


l — vt < e(t). 


Lemma 15 (YCNGSTYS_evader). 

t > 0 A pt < 2 A l < 2rsin(pt/2) D 2rsm{pt,/2) - I < e{t). 
Proof. Appvling the triangle inequality to Figure 5, we have 

i(t) < l + e{t). 

Rearranging 

e{t) > i(t) - 1. 

From Theorem 2 and definition of i(t), we have i(t) > 2rsin(p//2), which give us: 

e(t) > 2r sin(pt/2) — /. 


Lemma 16 (theta_inv). 


-pt < 0t -9 0 < pt. 


Proof. By Formula 4 we have 

|0(t)| < MaxBank. 

Monotonic increasing property of tangent function over interval [— 7r/4,7r/4] yields: 

tan( -MaxBank) < tan(0(i)) < tan(MaxBank). 

Multiplying by g/v yields: 

g t,an(— MaxBaink) g tan(<j!»(t)) ^ g tan (MaxBank) 
v ~ v ~~ v 


□ 


□ 
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By aircraft dynamics (see 1 Equation 3), we have: 


But, tan(— MaxBank) = 
our desired result: 


(] tan (—MaxBank) , g tan(MaxBank) 

< Uf < : . 

V v 

— tan(MaxBank) and by definition p = g tan (MaxBank)/?;, giving us 


~P < Qt < P- 

Integrating from 0 to t yields (Theorem 3): 


— pt < 0 t — Bo < pt. 


Lemma 17 (DxpO_Pl). 

0 < t A pt < n D x'(t.) > vcos(pt). 
Proof. From lemma theta.inv we have: 


□ 


—pt < 0, — 9 0 < pt. 


We consider two cases. 


1. Case 0, — 0 O > 0. Since the cos function is monotonicallv decreasing over [0, 7 r], we 
have 

cos (0 t - 00 ) > cos (pt). 

From lemma Dxp. we know x'(t) = iu:os(0 t ~ 0 O ), we conclude 

■i'(t) = v cos(0/ — 0q) > '0 cos (/>/.). 


2. Case 0, — 9 0 < 0 . From lemma theta.inv w<* have: 

Bt-0 o > -pt. 

Since the cos function is monotonicallv increasing over [ — 7 r , 0] , we have 

cos (9, — 9 0 ) > cos (—pt). 

Since cos (—pt) = cos (pt), we conclude 

x'(t) = t’cos (9, - 9q) > ccos (pt). 


□ 
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Lemma 18 (xpt). 


0 <t A pt < 7T D x{t) - x(0) > h x (t), 


where h x (t) = rsiii(pt). 

Proof. From lemma DxpO_PI we have: 

0</ A pt < 7T D x'(t.) > vcos(pt). 

By differentiation: 

.. x d A) . . X1 
i {t) > — -sm(pt)]. 
dt p 

Integrating both sides: 

[ x'(t)dt> I ^-[~sm{pt)]dt. 

Jo Jo aT P 

This yields 

i(0|' > 

Simplifying and using definition of r (r = vj p), we conclude 

x{t ) - f(0) > usin (pt) = h x (t). 

Lemma 19 (DypO_PI2). 

0<l A pt < 7t/2 D -vsin(pt) < y'(t) < vsin(pt). 


□ 


Proof. From lemma theta_inv we have: 

— pt < 0 t — 9 q < pt. 


Since \pt\ < 7 r /2 and \0 t - 0 O | < ?r/2 and sin is monotonicallv increasing over this region, we 
have 

- sin (pt.) < sin (0 t - 0 Q ) < sin (pt). 

Multiplying through by v and using lemma Dyp: y'(t.) = vsm(0 t — 0<>)> yields: 

-usin (pt) < y'(t) < usin (pt). 


Lemma 20 (ypt). 

0 < t A pt< 7t/2 D hy(t) - hy( 0) < y(t) - y(0) < h y { 0 ) - hy(t), 


□ 


where h y (t) = rcos(pt). 
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Proof. From lemma DypO_PI2, we get: 


-vsiii(pt) < y'(t) < usin (pt). 

Bv definition h y (t) = r cos(pt). so h y '(t) = —r psin(pt) = —vsin(pt), so we obtain 

h y ’(t) < y'(t ) < -h y '{t). 

Integrating yields (see Theorem 3): 


I h y '{t)dt < I y(t)dt < f -h y '(t)dt 
Jo Jo Jo 


and evaluating gives us: 


hy(t) - h y { 0 ) < y(t) - y(0) < h y ( 0 ) - h y {t). 


□ 


Lemma 21 (cos_beta_NOT_Alpha). 

v = 250 A 9.5 < T < 10 A AlertRange = 1400 A 
->Alpha(/^) A MinDistance < Z A / < MaxDistaace 

D 

cos(ft) < cos(MinBeta). 

Proof. We begin by restating the formula using -<.4 A B D C <=>• -C A B D A, 
a tautology: 

eos(.l) > cos(MinBeta) A MinDistance < / A / < MaxDistance A 
v = 250 A 9.5 < T < 10 A AlertRange = 1400 

D 

Alpha(/3). 

We must establish Alpha (/j), which is defined as below: 

(r T) 2 + I 2 — AlertRange 2 


l cos(/4) > 
Clearly it suffices to show that. 

I cos(MinBeta) > 

Multiplying both sides by 2 Tv yields 


2Tv 


{vT) 2 + I 2 — AlertRcinge"' 
__ 


2Tvl cos(MinBeta) > (v T) 2 + l 2 — AlertRange 2 , 
which is true for 9.5 < T < 10. v = 250, and AlertRange — 1400. 


□ 
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Lemma 22 (Alpha_d_alertRange). 

Alpha(d) d < AlertRange. 


Proof. By definition of Alpha, we have: 


/ cos(.V) > 


(vT) 2 — l 2 — AlertRange 2 
_ 


d < AlertRange. 


Simplifying the left-hand side, we have: 

AlertRange 2 > (vT) 2 - l 2 - 2vTl cos(/3) > <=> d < AlertRange. 

Now using the Law of Cosines (see Figure 7), we get d 2 = (vT) 2 — I 2 — 2t>77cos(d) t and 
substituting, we have 

d 2 < AlertRange 2 > d < AlertRange 


which is trivially true because d and AlertRange are distances and hence non-negative. □ 

Lemma 23 (xpO). 

i(0) = — /cos(0 o + )• 

Proof. We begin with the definition off (the x-coordinate after rotating the axes by 0 O - See 
Formula 22): 

x{t) = cos(0 o )Mf) - x e {T)\ + sin(0o)[^(f) - y e (T)}. 

From formulas 16 and 17, we have x e (T ) = lcos(f3) + x,(0) and y e (T ) = t/»(0) — / sin(d). 
Substituting we have: 

,r(0) = cos(0 o )[-/cos(/?)] + sin(0 o )[/sin(/?)] 

= -l [cos(0 o ) cos (ft) - sin(0 o ) sin(/?)] 

= — l cos(0o + ft)- 

The last step following from the trigonmetric identity for the cosine of the sum of two 
angles. ^ 

Lemma 24 (no.conflict_xp_l_Omega). 

1 < f A pt < 7T — p A Omega ( d + 0 O ) 3 x(t.) > Conf lictRange. 


Proof. We begin with Lemma xpt: 

0 < t A pt <tt D x(t) - i(0) > h x {t). 
By definition h x (t) — rs'm(pt). so we have 

x(t) — x (0) > r sin(pf) 
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dropping the premises. From the Lemma xpO: 

i(0) = -/ cos(6> 0 + ft). 

Under the Omega assumption, cos(0 o + (3) < 0, therefore i(0) is non-negative, giving us 

x(t) > rsin(pt). 

Then since t > 1, we have pt > p, and since pt. < 7r/2, we have sin (pt) > sin(p). This leads 
to 

x(t) > rsin(p). 

From the following increasing_r_sin_rho axiom: 

rsin(p) > Conf lictRange 

(which has been checked in MuPAD whenever v > 210), we have the desired result. □ 

Lemma 25 (alarm_N0T_0mega_T). 

MinDistance < / < MaxDistance A 
->0mega(/^ + 0 a ) A conf lict ie (T) 

D R*(T) < AlertRange. 

Proof. We begin with Lemma R.T, which gives us: 

Ri(T) = [l cos (ft + 6 0 ) - vTf + [/ sin(d + 0 O )] 2 - (32) 

From Lemma conf lict_beta_theta, we have 

MinDistance < l < MaxDistance A 

->0mega(/l + 6$) A conf lict ie (T) 

D ({/3 + < MinBeta) V {8 + 0 O > 2ir - MinBeta)). 

This gives us two cases to consider: 

1. Case 8 + 0o < MinBeta. From Lemma Math_prop_alarm_l, after substituting 8 + 9 0 
for o, we have 

MinDistance < l < MaxDistance A 0 < 8 + 0o A 8 + 6 0 < MinBeta 
D [l cos (8 + 9o) ~ vT] 2 + [I s\n(8 + ^o)] 2 < AlertRemge 2 . 

Using this and Equation 32, we have 9 

^ AlertRange 2 

from which the desired result R*(T) < AlertRange immediately follows since AlertRange 
is positive. 

!l The angle 8 is defined such that 0 < ft + On < 2n. 
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2. Case ft + 0 O > 2n - MinBeta. From Lemma Math_prop_alarm_2, after substituting 
ft + 0o for a, we have 

MinDistance < l < MaxDistance A 
27T - MinBeta < ft + 0 O A ft + 0 O < 2tt 
D [l c.os{ft + 6» 0 ) - vT] 2 + [/ sm{ft + 0o)f < AlertRange' 2 . 

Using this and Equation 32, we have 

Rl{T) < AlertRange 2 

from which the desired result RJT) < AlertRange immediately follows since AlertRange 
is positive. 

□ 


Lemma 26 (alarm_NOT_Omega_tau). 

MinDistcince < l < MaxDistance A 

-’Omega(0 o + ft) A 
conflict, i e (T) A r(0) > 0 
D R*(t{ 0)) < AlertRange. 

Proof. This proof follows easily from the analysis of two cases: 

1. Case R„(T) < AlertRange. If T < "^(0), then from Lemma asymptotic_decrease_tau 
we have R*(t( 0)) < R*(T ) which gives us the desired result immediately by transitivity. 
Otherwise (i.e., T > r(0)), we use Lemma asymptotic_increase_tau which gives us 
R*{t( 0)) < R t (T) from which the desired result immediately follows by transitivity. 

2. Case R*(T) > AlertRange. From Lemma alarm_NOT_Omega_T: 

MinDistance < l < MaxDistance A 
-i0mega(/? + 6 0 ) A conf lict, e (T) 

D R*(T) < AlertRange 

from which the desired result immediately follows bv transitivity. 

□ 

Lemma 27 (alarmJJOT_Omega_AlertTime). 

MinDistaince < / < MaxDistance A 
-n0mega(/? + 0 O ) A conf lict ie (T) A 
r(0) > AlertTime 
D R t (AlertTime) < AlertRauige. 
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Proof. From Lemma alarm_NOT_Omega_T. we have 

MinDistance < / < MaxDistance A 
->0mega(/? + fl () ) A conflict iP (r) 

D R*(T) < AlertRange 

and from Lemma asymptotic.decrease.tau, we have f?*(AlertTime) < R t (T). Combining 
these two results gives us the desired result immediately by transitivity. □ 

Lemma 28 (conf lict.beta.theta). 

MinDistance < 1 < MaxDistance A 
-Omega (J + 0 O ) A conf lict ie (T) 

D ((ft + 0 o < MinBeta) V (ft + 0 () > 2tt — MinBeta)). 

Proof. From the definition of conflict,,,, we have 

\J (•A(F) - x t .(T))' 2 + (yi(T) - y e (T))' 2 < ConflictRange. 

Squaring both sides: 

(x,(T) - x t (T)) 2 + (y,(T) - y e (T)) 2 < ConflictRange 2 . 

From Lemma isometric. evader, we have 

e(T)* = Xi(T) 2 + yi(T) 2 . 

By definition of e(T), we have: 

(x,(T) - x e (T)f + (y t (T) - y e (T)f = x t (T) 2 + Vl (T) 2 . 

By substitution, we obtain: 

x.i(T ) 2 + yi(T) 2 < Conf lictRange. 

From Lemma xpt_PI, we obtain 

0 < T A pT < 7r 
D x(T) > rsin(pT) — I cos( ft 4- do) 

and from Lemma yp_PI2, we obtain 

0 < T A pT < 7r/2 d 
y(T) > l sin(ft + d 0 ) + r (cos(pT) — 1) A 
y(T) < l sh\(ft + 0 o ) - r (cos(pT) — 1). 
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Direct calculation provides pT < tt/ 2 which discharges the premises of these two lemmas. 
Then from Lemma Math_prop_no_conf lict_l (substituting ft + Oq for a. x(T) for x, and 
y(T) for y). we get 


MinDistance < / < MaxDistance A 
MinBeta < ft + 0 o A ft + 0 o < x/2 A 
y(T ) > l sm(ft + &o) + r (cos (pT) - 1) A 
x(T) > r sin(pT) — / cos(/3 + 9 0 ) 

3 x 2 (T) + y 2 {T) > Conflict Range 2 . 

From Lemma Math_prop_no_conflict_2 (substituting ft + 9 q for a, x(T) for x, and y(T ) for 
y), we 8 et 


MinDistance < l < MaxDistamce A 

3tt/2 < ft + 0 O A ft + 0 o < 2tx - MinBeta A 
y(T) <• / sin(/^ + 9$) — r (cos (pT) 1) A 

x(T) > -l cos(ft + 6 0 ) + r sin(pT) 
3 x 2 (T) +y 2 (T) > ConflictRange 2 . 


Discharging the premises of these lemmas from the main premises and derived results we 
obtain: 


MinBeta < ft + do A ft + 0o < 7t/2 A 
3 x 2 (T) + y 2 (T) > ConflictRange 2 


and 


37 r /2 < ft + 9 0 A ft + 0 Q < 2 tt — MinBeta A 
3 f 2 (T) + y 2 {T) > ConflictRange 2 . 


The contrapositive of these are: 

x 2 (T) + y 2 (T) < ConflictRange 2 

3 MinBeta > ft + 9 0 V ft + 6 0 > tt/2 


and 

x 2 (T) + y 2 (T ) < ConflictRange 2 
3 37r/2 > ft + 0 O V /? + > 27T - MinBeta. 

Combining these results we end up with 

(MinBeta > ft + 0 O V ft + 9 0 > n/2) A 
(37t/2 > ft + #o V ft + 9 0 > 2n — MinBeta). 
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But by definition of the premise -Omega we have: 

3 4 ffo < ?r/2 V 3 4 0„ > 3tt/2. 
Combining those last two results yields 

MinBeta > 3 4 0o V 3 4 0o > 27T — MinBeta 

the desired result. 

Lemma 29 (xpt_PI). 

0 < t A pt < it D x(t) > rsin(pt) — lcos(3 4 0o). 
Proof. From Lemma xpt, we have 

0 < t A pt < it D x(t.) - i'(0) > h T (f). 

From Lemma xpO, we have 

x(0) = —l cos (0 O 4- 3). 

By definition. h x = rsin(pf), so we have 

x(t) > rsm(pt) — / cos(0 o 4- 3) 

the desired result. 


Lemma 30 (yp_PI2). 

0 < T A pT < tt/2 d 
y(r) ^ l sin(3 4 0o) 4" t (cos(p7 1 ) — 1) A 
;t/(r) < / sin (/i + 0 O ) - r (cos(pT) - 1). 

Proof. From Lemma ypt, we have 

0 < t A pt < 7r/2 D 
y(t) - y( 0) > - fiy(0) A 

y(^) - y(0) < h y ( 0) - 

From Lemma ypO, we have 


y{ 0) = / sin(0 o + 3). 

Bv definition of h y — rcos(pt) and substituting for ?/(0), we have 

y(t) — l sin(0o 4 3) 4 rcos(pt) — rcos(0) A 
y(t) — l sin(0 o 4 8) < rcos(0) — rcos(pt) 

which simplifies to 

y(t) — I sin (0 O 4 8) > r (cos (pt) — 1) A 
y(t) - l sin(0 o 4 8) < r (1 - cos(pt)) 

from which the desired result immediately follows. 


□ 


□ 


□ 
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Lemma 31 (ypO). 


i/(0) = l sin(0 o + 0)- 

Proof. We begin with the definition of y (the y-coordinate after rotating the axes by 0 o . 
Formula 23, after substituting 0 for y. becomes 

y( 0) = cos(0 o )['y*(O) - y e .(T)} - sin(0 o )[.Tj(O) - x e {T)\. 

From formulas 16 and 17, we have x e (T) = l cos (/l) + j;,(0) and y e (T) = y,(0) — I sin(/f). 
Substituting we have: 


:f (0) = cos(0 o )[/sin(/?)] - sin(0 o )[^ cos(/?)] 

= l [cos(0 o ) sin(/?) — sin(0 o ) cos(/?)] 

= l sin(^o + 0)- 

The last step following from the trigonmetric identity for the sine of the sum of two angles. 

□ 

Lemma 32 (ails_alarm_tau_gtO). 

MinDistance < l < MaxDistance A 
-■Omega (/3 + 0 O ) A 
r(0) > 0 A 
conf lictj e (T) 

D 

ails_alert(measure2state(i, 0), measure2state(e, 0)). 

Proof. We split into two cases. 

1. Case p(bank(i) )= 0. In this case ails_alert simplifies to chktrack(i, e, 0). Expand- 
ing chktrack we have, 

IF r(0) > AlertTime 

THEN R t (AlertTime) < AlertRange 
ELSE R*(t(0)) < AlertRange 
END IF 

where R*(t) is an abbreviation for /?(measure2state(i, 0), measure2state(e, 0), t), 
which is the R function (i.e.. Equation 14) evaluated on the measured state variables 
at time t,. 

(a) Case r(0) > AlertTime. We need to establish that 

/?*( AlertTime) < AlertRange. 
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From Lemma asymptotic_decrease.tau, we have: 

R*(T) > f?*(AlertTime). 

From Lemma alarm_NOT_Omega.T we have : 

MinDistance < / < MaxDistance A 
->0mega(/3 + 0 O ) A conf lict ie (T) 
D R*(T) < AlertRange 

and we immediately get the desired result by transitivity, 
(b) Case r(0) < AlertTime. We need to establish that 

i?»(r(0)) < AlertRange. 

From Lemma alarm_NOT_Omega_tau, we have 

MinDistance < l < MaxDistance A 
-'Omega(0 o + ft) A 
conf lictje(T’) A r(0) > 0 
D R*(t( 0)) < AlertReuige 


which discharges this case. 

2. Case p(bank(«))^ 0 . Expanding ails_alert and arc_loop, and using the fact that 
mod(0, m) = 0, for m ± 0, we end up with an identical goal to the result proved in the 
previous case. This means that only one tangential projection is necessary to issue an 
alarm. 

□ 

The following lemmas are more general than the other lemmas in the appendix in that 
they only involve standard mathematical functions and not the specific functions of the 
collision avoidance framework 10 . It is noteworthy that they were discovered with the aid of a 
plotting tool (GNUPLOT) and a computer algebra program named MuPAD. At first these 
were introduced into the PVS theories as axioms. After all of the main theorems of this 
paper were completed, proofs of these lemmas were constructed in PVS. Whether this last 
step is necessary is a philosophical one. Nevertheless, this two step process was essential to 
the discovery of several of the proofs in this paper. 

10 Although the lemmas reference terms such as MinDistance and Conf lictRange, these are just constants 
that, can he replaced by their values. 
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Lemma 33 (Math_prop_no_conf lict_l). 


v = 250 A 9.5 < T < 10 A 

MinDistance < / < MaxDistance A 
MinBeta < a < tt/2 A 

y > /sin(a) + r[eos(pT) — 1] A x > rsin(/?T) — /cos(a) 

D 

x 1 2 + y 2 > Conf lictReinge 2 , 


where MinBeta = 539/1000. 

Proof. The key to proving this theorem was finding the minimum of 

rsin(pT) — l cos(MinBeta)] 2 + [r (cos (pT) — 1) + /sin(MinBeta)] 2 (33) 

and splitting the proof into the two cases for each side of this minimum. The mimimum 
occurred around L = 2442 as illustrated in Figure 9. 



Figure 9: Plot of formula 33 as a function of l. 


1. Case l < L. Because sin is monotonically increasing over the the range [0, 7r/2] and 
MinBeta < a, we have: 

/ sin(rx) + r[cos(/?T) - 1] > l sin(MinBeta) + r[cos(pT) - 1]. 

Applying transitivity to this formula and the y premise of the theorem, we have 


y > l sin(MinBeta) + r[cos(pX) — 1]. 


Squaring both sides: 


y 2 ^ [ r { Q °s{pT) — 1) + / sin(MinBeta)] 2 . 


(34) 
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Because cos is monotonically decreasing over the range [0, 7 t/ 2] and MinBeta < «, we 
have: 

r sin(pT') — / cos (a) > rsin(pT) — /cos(MinBeta). 

Applying transitivity to this formula and the x premise of the theorem, we have 

x > rsin(pT') — /cos(MinBeta). 

Squaring both sides: 

x 2 > [r sin(pT) — / cos(MinBeta)] 2 . (35) 

Combining formulas 35 and 34 yields: 

x 2 + y 2 > [r sin(pT) - / cos(MinBeta)] 2 + [r (cos(pT) - 1) + /sin(MinBeta)] 2 . 
Expanding the squares: 

x 2 + y 2 > r 2 sin 2 {pT) + l 2 cos 2 (MinBeta) — 2/r sin(pT) cos(MinBeta) 

+r 2 (cos(pT) - l) 2 + l 2 sin 2 (MinBeta) 

+2lr (cos(pT) — 1) sin(MinBeta). 

Using sin 2 (o) + cos 2 (a) = 1, we have 

x 2 + y 2 > r 2 sin 2 (pT) + I 2 — 2/r sin(pT) cos(MinBeta) 

+r 2 (eos(pT) — l) 2 + 2/r [cos(pT) — 1] sin(MinBeta). 

Further expansion and simplification yields: 

x 2 + I! 1 > l 2 ~ 2/r sin(pT) cos(MinBeta) 

+r 2 [sin 2 (pT’) + cos 2 {pT) — 2 cos (pT) + 1] + 2/r [cos(pT) - 1] sin(MinBeta). 

Using sin 2 (a) + cos 2 (q) = 1 again, we have 

x 2 + y 2 > l 2 — 2/r sin(p7') cos(MinBeta) 

+2r 2 [l — cos(pU)] + 2/r [cos (pT) — 1] sin(MinBeta). 

Rearranging terms and simplifying: 

X 2 + y 2 > l 2 + 2r 2 [l - cos(pT)] 

+2/r[(cos(pT) — 1) sin(MinBeta) — sin(pT) cos(MinBeta)]]. 

Further manipulation yields: 

x 2 + y 2 > l 2 + 2r 2 [ 1 — cos(pT)] — 2/r sin(MinBeta) 

+2/r[cos(pT) sin(MinBeta) — sin(pT) cos(MinBeta)]]. 
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Using the difference of two angles trigonmetric identity for sin yields: 
x 2 + y 2 > l 2 + 2r 2 [l — cos(pT)] — 2/r sin(MinBeta) 

+2/r sin(MinBeta — pT ). 

Using sin(— ft) = — sin(«), we have: 

x 2 + y 2 > l 2 -(- 2r 2 [l — cos(pT)] — 2Zr sin(MinBeta) 

— 2/rsin(pT — MinBeta). 

Rearranging terms and simplifying: 

x 2 + y 2 > l 2 + 2 r 2 — 2r 2 cos(pT) — 2/rsin(MinBeta) 

— 2lrsin(pT — MinBeta). 

Now, axiom Ax2, which has been checked in MuPAD, yields: 
v = 250 A 9.5 < T < 10 A 

MinDistance < l < L D l 2 + 2 r 2 - Conf lictRange 2 - 2 r 2 cos(pT) 

— 2lr sin(MinBeta) — 2/rsin(pT — MinBeta) > 0. 

Rearranging terms of this axiom gives us: 

l 2 + 2r 2 - 2r 2 cos(pT) - 2/r sin(MinBeta) - 2lrsin(pT - MinBeta) > Conf lictRange 2 . 
Transitivity yields 

x 2 + y 2 > Conf lictRamge 2 

the desired result. 

2. Case / > L. Using the techniques described in Section 3, the lemma 
Math_prop_no_conf lict_y_L_PI2: 

v = 250 A 9.5 < T < 10 A 
L < l < MaxDistance A 
MinBeta < a < 7r/2 A 
y > /sin(a) + r[cos(pT) — 1] 

D 

y > Conf lictRange 

is easily established. The premises of this lemma follow from the premises of the 
theorem, so we have 

y > Conf lictRange. 

Squaring both sides yields 

y 2 > Conf lictRange 2 . 

From which the desired result: 

x 2 + y 2 > Conf lictRange 2 


immediately follows. 



□ 

Lemma 34 (Math_prop_no_conf lict_2). 

v = 250 A 9.5 < T < 10 A 
MinDistance < l < MaxDistance A 

3?r/2 < a < 2 tt — MinBeta A 
y > Zsin(a) + r(cos(pT) - 1) A x > rsin(pT) - lcos(a) 

D 

x 2 + y 2 > Conf lictRange 2 . 

Proof. Using lemma Math_prop_no_conf lict.l, substituting 2n -a for a and -y for y yields: 

v = 250 A 9.5 < T < 10 A 
MinDistance < / < MaxDistance A 
MinBeta < 2n — a < 7r/2 A 
— y > l sin(27r — a) + r[cos(pT) — 1] A 
x > r sin (pT) — l cos(27T — a) 

D 

x 2 4- ( — </) 2 > Conf lictRange 2 . 

Since (-y) 2 = y 2 . sin(27r - a) = -,sm(a) and cos(27r - a) = eos(a), we have 

v = 250 A 9.5 < T < 10 A 
MinDistauice < l < MaxDistance A 
MinBeta < 2n — a < n/2 A 
—y > -Zsin(a) 4- r[cos(pT) — 1] A 
x > rsin(pT) - /cos(a) 

D 

x 2 + y 2 > Conf lictRange 2 . 

Multiplying both sides of the y premise by —1 and writing MinBeta < 2n — a < tt/2 as 
3?r/2 < a < 2n — MinBeta yield the desired result. □ 

Lemma 35 (Math_prop_alarm_l). 

MinDistcince < l < MaxDistance A 
0 < a A a < MinBeta 

D [/cos(«) — vT] 2 + [/sin(a)] 2 < AlertReuige 2 . 

Proof. Using algebraic manipulation we get 

[/ cos(u) - vTf -I- [/ sin(a)] 2 = v 2 T 2 + I 2 - 2vTl cos (a). 

Using the techniques described in Section 3, we get 

v 2 T 2 + l 2 - 2 vTl cos (a) < v 2 T 2 + I 2 - 2 vTl cos(MinBeta). 
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Finally, we have checked in MuPAD, and assumed it as an axiom in PVS (Axiom Ax3), that 
v 2 T 2 + i 2 - 2f'77cos(MinBeta) < AlertRange 2 
under the given hypothesis. Transitivity yields the result. □ 

Lemma 36 (Math_prop_alarm_2). 

MinDistance < l < MaxDistance A 2n — MinBeta < a A a < 2n 

D [/cos(a) - vTf + [l sin(a)] 2 < AlertRange 2 . 

Proof. Using lemma Math_prop_alarm_l, substituting 27r — a for a yields: 

MinDistance < / < MaxDistance A 

0 < 27 r — a A ‘2n — a < MinBeta 
D [/ cos(27r — a) — vT}' 2 + [l sin(2vr — a)] 2 < AlertRange 2 . 

We conclude using the equalities eos(27r— a) = cos(a), sin(27r— a) = — sin(a), and [— / sin(a)] 2 = 
[/ sin(o)] 2 . Q 
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Appendix B: Table of Translations 


Paper 

PVS 

i 

intr 

e 

evad 

1 0t 

theta(t) 

e o 

theta(O) 

p 

rho(v) 

ft 

beta 

0 

phi 

m 

R ( intruder , evader , t ) 

T(t) 

tau (intruder , evader ,t) 

X 2 

x( intruder) 

x e 

x (evader) 

x(t.) 

xp(t) 

m 

yp(t) 

x'(t) 

D(xp(t) ) 

ii'(t) 

D(yp(t) ) 

X* 

xtrk 

y* 

ytrk 

sill/6 

sin_lb 

cos lb 

cos_lb 

sin, 

sin_ub 

cos uA 

cos_ub 

^uh 

r_ub(V) 

Pub 

rho_ub(V) 

rio 

r_lb(V) 

Pib 

rho_lb(V) 

Du.(ti,t e ) 

Die (ti ,te) 
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Appendix C: AILS Alerting Algorithm in PVS 

ails: THEORY 
BEGIN 

Bank: type = {r: real I — MaxBank < r < MaxBank} 

State: type = [# x: real, v: real, heading: real, bank: Bank #] 

i, e: VAR State 

range, I : VAR real 

0 : VAR Bank 

r, p: VAR real 

k: VAR [0 . . . MaxStep] 

idtrk : VAR posnat 

p{ 0 ) : real = gt&n{<j))/v 

chkrange (range, t) : bool = range < AlertRange A t < AlertTime 

chktrack (/ , e, /) : bool = 
let t = t ( i , e, 0) in 
IF r < 0 

then chkrange (R(i, e, 0), t) 
elsif t + t > AlertTime 

THEN RXi, e, AlertTime) < AlertRange 
ELSE Rii, e, r) < AlertRange 

endif 

arcJoopCt, e, r, p, idtrk, k) : RECURSIVE bool = 
if k = MaxStep 
THEN FALSE 
ELSE LET t = k \ IN 

LET xloe = x(e) + vt IN 
LET yloe = vie) IN 
LET (x* , y*) 

= IF p > 0 
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then (x(i) + r (sin(heading(t) + pt.) - sin(heading(i))) , 
y (i) + r (cos(heading(i)) — eos(heading(t) + pt))) 
else (x(i) + r (sin(heading(i)) — sin(heading(i)) + pt), 
y(i) + r (c«s(heading(/) + pt) - eos(heading(/)))) 

ENDIF 

IN 

IF -i mod (A;, idtrk) = 0 

then LET range = yj (x* - xloc) 2 + (y* — yloc 2 ) IN 
IF chkrange (range , t) 

THEN TRUE 

ELSE are Joop (z, e, r, p, idtrk, A: + l) 

ENDIF 

else let tantrk = heading(z) + 1 p in 

let int = i WITH [x := x* , y := y* , heading := tantrk] IN 
LET eva = c WITH [x := xloc, y := yloc] IN 
IF chktrack (int , eva, t) 

THEN TRUE 

ELSE arcJoopG', e, r, p, idtrk, k + 1) 

ENDIF 

ENDIF 

ENDIF 

MEASURE (MaxStep - k) 

ails_alert(i, e) : bool = 
let 4) = bank(i) in 

LET p = p((j)) IN 
IF p = 0 

then chktrack (i , c, 0) 
else let r = v 2 / (g tan(<c»)) in 
LET idtrk 

= IF p > 3 
THEN 1 

ELSIF p > 1 + 1/2 
THEN 2 

ELSE IF p > 3/4 THEN 4 ELSE 8 ENDIF 

ENDIF 

in are Joop {i , e, r, p, idtrk, 0) 

ENDIF 

end ails 
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